Skip to main content
株式会社オブライト
AI2026-07-166 min read

OpenAI's GPT-Red Explained: Automated Red-Teaming Where AI Attacks AI to Harden It

Cutting GPT-5.6's Prompt-Injection Failure Rate to 0.05% (Announced 2026-07-15)

A deep dive into GPT-Red (July 15, 2026): OpenAI's internal automated red-teamer trained by self-play RL to attack its own models, then used to harden GPT-5.6 — a 'self-improvement for safety.' Covers the method, the 0.05% prompt-injection failure rate, a vending-machine agent breach, and what it means for businesses adopting AI agents.


GPT-Red is an internal-only red-teaming AI that OpenAI unveiled on July 15, 2026 to automatically discover vulnerabilities in its own models. To overcome the bottleneck of human-only vulnerability testing, it is trained by self-play reinforcement learning to attack, and its attacks are then used to adversarially train production models — hardening them. As a result, the latest GPT-5.6 Sol is far more resistant to prompt injection. Note that 'self-improvement' here means improving safety, not model intelligence.

This article is a neutral, source-based explainer of an industry development — not a guide to reproducing attacks. It focuses on what businesses adopting AI agents should understand about the risk and the direction of mitigations.

What Is Prompt Injection?

Prompt injection hides malicious instructions inside third-party data an AI processes — a web page, email body, file, or tool response — to steer the model away from its intended task. Agents necessarily touch third-party data through browsers, connected apps, and files to do useful work, which also creates openings for attackers. OpenAI's example: an instruction crafted to trick the model into uploading sensitive data to an external server, embedded in an email, webpage, or code repository. The more authority you grant an agent, the more real this risk becomes.

What Was Announced: Growing an 'Attacker AI' at Scale

Human red-teaming is essential but slow to design and run, and it can't generate the volume and diversity of adversarial data needed to train for robustness. So OpenAI has been building automated red-teamers that find vulnerabilities and generate attacks during training. GPT-Red is the culmination — trained at a compute scale rivaling OpenAI's largest post-training runs, described as an unprecedented amount of compute dedicated purely to improving safety. OpenAI frames using today's models to make tomorrow's safer as a form of self-improvement for safety.

How It Works: Self-Play Between Attacker and Defenders

GPT-Red trains via self-play RL: it and a set of diverse defender LLMs train simultaneously. GPT-Red is rewarded for eliciting a valid failure (a successful injection); defenders are rewarded for resisting while completing their tasks. As defenders harden, GPT-Red must find stronger, more diverse attacks — lifting both. Training uses a large set of realistic scenarios where injections might live: part of a local file, a webpage banner, an email body, or a tool's output.

Loading diagram...

By the end of training, GPT-Red can break nearly all models it faces, internal and production, up to and including GPT-5.5. Its attacks were then used to train GPT-5.6, which became highly resistant to them. Crucially, OpenAI keeps GPT-Red internal-only and separate from deployed models — keeping deliberately instilled attack capabilities out of adversaries' hands while transferring only robustness to production.

How Strong, and How Much It Helped

MetricResult
GPT-5.6 Sol on hardest direct prompt injection6× fewer failures vs best model 4 months earlier
GPT-5.6 Sol failure rate vs GPT-Red's direct attacksjust 0.05%
Attack success on novel scenarios (vs GPT-5.1)GPT-Red 84% / humans 13%
'Fake CoT' attack success95%+ on GPT-5.1 → under 10% on GPT-5.6 Sol
Indirect-injection benchmarks (dev tools, browsing)>97% accuracy on latest model (saturated)

GPT-Red also generalized to unseen scenarios. On a replicated indirect prompt-injection arena (Dziemian et al. 2025), GPT-Red succeeded on 84% of scenarios versus 13% for human red-teamers. An early version discovered a new class of 'Fake Chain-of-Thought' direct attacks — 95%+ success on GPT-5.1, now under 10% on the hardened GPT-5.6 Sol.

Real-World Test: Breaking a Vending-Machine Agent

Beyond benchmarks, GPT-Red attacked a near-real agent: 'Vendy,' an AI vending-machine agent in OpenAI's office (by Andon Labs, à la Project Vend). It rehearsed in simulation, then transferred attacks to the live agent, achieving all three malicious goals — repricing an expensive item to the $0.50 minimum, listing a $100+ item at $0.50, and canceling another customer's order (vulnerabilities disclosed, fixes under test). It also beat a Codex CLI agent (GPT-5.4 mini) on 10 held-out data-exfiltration scenarios with higher success and fewer tokens. A vivid demonstration that granting real authority to autonomous agents can be steered into real harm.

Robust Without Getting Dumber

A model can look safer by refusing more or doing less — but that isn't useful robustness. OpenAI evaluated both frontier capabilities and purpose-built over-refusal tests, reporting that normal capabilities were unaffected while robustness rose — meaning the gains came from resisting malicious instructions, not from refusing legitimate requests or avoiding tools.

What It Means for Businesses

This is frontier-lab internal work, but there's a direct lesson for companies deploying agents: prompt injection is a real, demonstrable risk, and mitigations on the user side must be built through operational design, separate from frontier-model hardening.

- Minimize agent authority: gate irreversible actions (sending email, uploading files, payments, config changes) behind human approval — see getting started with AI agents
- Treat external data as data, not instructions: set rules so web/email/shared-file content is never executed as commands
- Constrain data egress: technically limit where agents can send or upload data — the same access-scope thinking as offboarding cloud accounts
- Vet vendor safeguards: check how your chosen AI tools handle injection, monitoring, and logging
- Local/on-prem isn't a silver bullet: in-house AI operation reduces leak paths but injection can still arrive via input data

Caveats

- Self-reported: results use OpenAI's own environments; a preprint with more detail is promised, and third-party verification is pending
- GPT-Red is not public — it's an internal model for hardening production systems
- Not 'solved' but an arms race: scaling finds new attacks even as it improves robustness; OpenAI pairs it with human/third-party red-teaming, layered safeguards, and monitoring
- Self-improvement debate: safety self-improvement is welcome, but it's continuous with capability self-improvement, and questions about external evaluation remain open

Takeaway

GPT-Red starts turning the 'AI trains AI' loop — already used for capabilities — toward safety. Using today's models to make tomorrow's more robust makes sense in an era when attackers automate attacks with AI too. The practical translation for businesses is simple: agents are powerful, but touching external data leaves injection risk — so minimizing authority, handling external data carefully, and constraining data egress are defenses users must prepare, independent of model hardening.

Can the public use GPT-Red?

No. GPT-Red is an internal-only model OpenAI uses to harden its production systems; it is not offered externally, deliberately keeping its attack capabilities out of adversaries' hands.

Can prompt injection happen with the AI tools my company uses?

Yes. As long as an AI touches external data — web, email, files, connected apps — malicious instructions can be embedded there. Defend with operational design: minimize agent authority, require human approval for irreversible actions, and constrain where sensitive data can be sent.

Is this about the model getting smarter?

No. Here 'self-improvement' means improving safety/robustness, not intelligence. It's a mechanism to use today's model (GPT-Red) to harden future models, not a capability upgrade to GPT-5.6 itself.

Feel free to contact us

Contact Us